Snyk and fine tuning

Author: siddharth-singh1

.snyk

@@ -2,9 +2,7 @@
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   SNYK-CC-TF-1:
-    - 'main.tf > input > resource > aws_security_group[ecs_task_sg] > ingress':
-        reason: That inbound traffic is allowed to a resource from any source instead
-                of a restricted range. That potentially everyone can access your
-                resource
-        expires: 2025-04-01T00:00:00.000Z
+    - 'modules/alb/main.tf > input > resource > aws_security_group[lb_sg] > ingress[0]':
+        reason: That inbound traffic is allowed to a resource from any source as it is for an internet facing ALB.
+        expires: 2026-04-01T00:00:00.000Z
         created: 2023-02-28T18:20:39.256Z

README.md

@@ -13,7 +13,6 @@ SourceFuse's AWS Reference Architecture Terraform module leverages the terraform
 
 The module assumes that upstream dependencies, namely networking dependencies, are created upstream and the values are passed into this module via mechanisms such as Terraform data source queries.
 
-![Module Structure](./static/ecs_module_hla.png)
 
 The module provisions
 
@@ -133,14 +132,12 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_alb"></a> [alb](#input\_alb) | Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags. | <pre>object({<br/>    name                       = optional(string, null)<br/>    port                       = optional(number)<br/>    protocol                   = optional(string, "HTTP")<br/>    internal                   = optional(bool, false)<br/>    load_balancer_type         = optional(string, "application")<br/>    idle_timeout               = optional(number, 60)<br/>    enable_deletion_protection = optional(bool, false)<br/>    enable_http2               = optional(bool, true)<br/>    certificate_arn            = optional(string, null)<br/><br/>    access_logs = optional(object({<br/>      bucket  = string<br/>      enabled = optional(bool, false)<br/>      prefix  = optional(string, "")<br/>    }))<br/><br/>    tags = optional(map(string), {})<br/>  })</pre> | n/a | yes |
+| <a name="input_alb"></a> [alb](#input\_alb) | Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags. | <pre>object({<br/>    name                       = optional(string, null)<br/>    port                       = optional(number)<br/>    protocol                   = optional(string, "HTTP")<br/>    internal                   = optional(bool, false)<br/>    load_balancer_type         = optional(string, "application")<br/>    idle_timeout               = optional(number, 60)<br/>    enable_deletion_protection = optional(bool, false)<br/>    enable_http2               = optional(bool, true)<br/>    certificate_arn            = optional(string, null)<br/>    create_alb                 = optional(bool, false)<br/><br/>    access_logs = optional(object({<br/>      bucket  = string<br/>      enabled = optional(bool, false)<br/>      prefix  = optional(string, "")<br/>    }))<br/><br/>    tags = optional(map(string), {})<br/>  })</pre> | n/a | yes |
 | <a name="input_alb_target_group"></a> [alb\_target\_group](#input\_alb\_target\_group) | List of target groups to create | <pre>list(object({<br/>    name                              = optional(string, "target-group")<br/>    port                              = number<br/>    protocol                          = optional(string, null)<br/>    protocol_version                  = optional(string, "HTTP1")<br/>    vpc_id                            = optional(string, "")<br/>    target_type                       = optional(string, "ip")<br/>    ip_address_type                   = optional(string, "ipv4")<br/>    load_balancing_algorithm_type     = optional(string, "round_robin")<br/>    load_balancing_cross_zone_enabled = optional(string, "use_load_balancer_configuration")<br/>    deregistration_delay              = optional(number, 300)<br/>    slow_start                        = optional(number, 0)<br/>    tags                              = optional(map(string), {})<br/><br/>    health_check = optional(object({<br/>      enabled             = optional(bool, true)<br/>      protocol            = optional(string, "HTTP")<br/>      path                = optional(string, "/")<br/>      port                = optional(string, "traffic-port")<br/>      timeout             = optional(number, 6)<br/>      healthy_threshold   = optional(number, 3)<br/>      unhealthy_threshold = optional(number, 3)<br/>      interval            = optional(number, 30)<br/>      matcher             = optional(string, "200")<br/>    }))<br/><br/>    stickiness = optional(object({<br/>      enabled         = optional(bool, true)<br/>      type            = string<br/>      cookie_duration = optional(number, 86400)<br/>      })<br/>    )<br/><br/>  }))</pre> | n/a | yes |
-| <a name="input_capacity_provider"></a> [capacity\_provider](#input\_capacity\_provider) | Configuration settings for the ECS capacity providers, including the capacity providers used for autoscaling and Fargate. This variable defines the properties of each capacity provider and how they are managed, such as scaling policies and termination protection. | <pre>object({<br/>    autoscaling_capacity_providers = map(object({<br/>      name                           = optional(string)<br/>      auto_scaling_group_arn         = string<br/>      managed_termination_protection = optional(string, "DISABLED")<br/>      managed_draining               = optional(string, "ENABLED")<br/>      managed_scaling = optional(object({<br/>        instance_warmup_period    = optional(number)<br/>        maximum_scaling_step_size = optional(number)<br/>        minimum_scaling_step_size = optional(number)<br/>        status                    = optional(string)<br/>        target_capacity           = optional(number)<br/>      }))<br/>      tags = optional(map(string), {})<br/>    }))<br/>    default_capacity_provider_use_fargate = bool<br/>    fargate_capacity_providers            = any<br/>  })</pre> | n/a | yes |
+| <a name="input_capacity_provider"></a> [capacity\_provider](#input\_capacity\_provider) | Configuration settings for the ECS capacity providers, including the capacity providers used for autoscaling and Fargate. This variable defines the properties of each capacity provider and how they are managed, such as scaling policies and termination protection. | <pre>object({<br/>    autoscaling_capacity_providers = map(object({<br/>      name                           = optional(string)<br/>      auto_scaling_group_arn         = string<br/>      managed_termination_protection = optional(string, "DISABLED")<br/>      managed_draining               = optional(string, "ENABLED")<br/>      managed_scaling = optional(object({<br/>        instance_warmup_period    = optional(number)<br/>        maximum_scaling_step_size = optional(number)<br/>        minimum_scaling_step_size = optional(number)<br/>        status                    = optional(string)<br/>        target_capacity           = optional(number)<br/>      }))<br/>      tags = optional(map(string), {})<br/>    }))<br/>    use_fargate                = bool<br/>    fargate_capacity_providers = any<br/>  })</pre> | n/a | yes |
 | <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | CIDR blocks for security group ingress rules | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
-| <a name="input_create_alb"></a> [create\_alb](#input\_create\_alb) | Flag to create or skip the creation of ALB | `bool` | `false` | no |
-| <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Flag to create or skip the creation of ECS demo service | `bool` | `false` | no |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | The ECS-specific values to use such as cluster, service, and repository names.<br/><br/>Keys:<br/>  - cluster\_name: The name of the ECS cluster.<br/>  - cluster\_configuration: The execute command configuration for the cluster.<br/>  - cluster\_settings: A list of cluster settings (e.g., container insights). Default is an empty list.<br/>  - cluster\_service\_connect\_defaults: Configures a default Service Connect namespace.<br/>  - create\_cloudwatch\_log\_group: Boolean flag to specify whether to create a CloudWatch log group for the ECS cluster. | <pre>object({<br/>    name = string<br/>    configuration = optional(object({<br/>      execute_command_configuration = optional(object({<br/>        kms_key_id = optional(string, "")<br/>        logging    = optional(string, "DEFAULT")<br/>        log_configuration = optional(object({<br/>          cloudwatch_encryption_enabled = optional(bool, null)<br/>          log_group_name                = optional(string, null)<br/>          log_group_retention_in_days   = optional(number, null)<br/>          log_group_kms_key_id          = optional(string, null)<br/>          log_group_tags                = optional(map(string), null)<br/>          s3_bucket_name                = optional(string, null)<br/>          s3_bucket_encryption_enabled  = optional(bool, null)<br/>          s3_key_prefix                 = optional(string, null)<br/>        }), {})<br/>      }), {})<br/>    }), {})<br/>    create_cloudwatch_log_group = bool<br/>    service_connect_defaults    = optional(map(string), null)<br/>    settings                    = optional(any, null)<br/>    tags                        = optional(map(string), null)<br/>  })</pre> | n/a | yes |
-| <a name="input_ecs_service"></a> [ecs\_service](#input\_ecs\_service) | The ECS-specific values to use such as cluster, service, and repository names. | <pre>object({<br/>    cluster_name             = string<br/>    service_name             = string<br/>    repository_name          = string<br/>    enable_load_balancer     = bool<br/>    aws_lb_target_group_name = optional(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_ecs_service"></a> [ecs\_service](#input\_ecs\_service) | The ECS-specific values to use such as cluster, service, and repository names. | <pre>object({<br/>    cluster_name             = string<br/>    service_name             = string<br/>    repository_name          = string<br/>    enable_load_balancer     = bool<br/>    aws_lb_target_group_name = optional(string)<br/>    create_service           = optional(bool, false)<br/>  })</pre> | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment associated with the ECS service | `string` | n/a | yes |
 | <a name="input_lb"></a> [lb](#input\_lb) | ALB-related information (listening port, deletion protection, security group) | <pre>object({<br/>    name                 = string<br/>    listener_port        = number<br/>    deregistration_delay = optional(number)<br/>    security_group_id    = string<br/>  })</pre> | n/a | yes |
 | <a name="input_listener_rules"></a> [listener\_rules](#input\_listener\_rules) | List of listener rules to create | <pre>list(object({<br/>    priority = number<br/><br/>    conditions = list(object({<br/>      field  = string<br/>      values = list(string)<br/>    }))<br/><br/>    actions = list(object({<br/>      type             = string<br/>      target_group_arn = optional(string)<br/>      order            = optional(number)<br/>      redirect = optional(object({<br/>        protocol    = string<br/>        port        = string<br/>        host        = optional(string)<br/>        path        = optional(string)<br/>        query       = optional(string)<br/>        status_code = string<br/>      }), null)<br/><br/>      fixed_response = optional(object({<br/>        content_type = string<br/>        message_body = optional(string)<br/>        status_code  = optional(string)<br/>      }), null)<br/>    }))<br/>  }))</pre> | n/a | yes |

example/main.tf

@@ -20,12 +20,6 @@ provider "aws" {
 module "ecs_cluster" {
   source = "../"
 
-  ##########################################
-  ## Flags for ALB and service modules
-  ##########################################
-  create_alb     = true
-  create_service = true
-
   #####################
   ## ecs cluster
   #####################
@@ -46,8 +40,8 @@ module "ecs_cluster" {
   }
 
   capacity_provider = {
-    autoscaling_capacity_providers        = {}
-    default_capacity_provider_use_fargate = true
+    autoscaling_capacity_providers = {}
+    use_fargate                    = true
     fargate_capacity_providers = {
       fargate_cp = {
         name = "FARGATE"
@@ -68,6 +62,7 @@ module "ecs_cluster" {
     repository_name          = "12345.dkr.ecr.us-east-1.amazonaws.com/arc/arc-poc-ecs"
     enable_load_balancer     = false
     aws_lb_target_group_name = "arc-poc-alb-tg"
+    create_service           = false
   }
 
   task = {
@@ -91,9 +86,10 @@ module "ecs_cluster" {
   cidr_blocks = null
 
   alb = {
-    name     = "arc-poc-alb"
-    internal = false
-    port     = 80
+    name       = "arc-poc-alb"
+    internal   = false
+    port       = 80
+    create_alb = false
   }
 
   alb_target_group = [{

main.tf

@@ -14,9 +14,9 @@ module "ecs_cluster" {
   }
 
   capacity_provider = {
-    autoscaling_capacity_providers        = var.capacity_provider.autoscaling_capacity_providers
-    default_capacity_provider_use_fargate = var.capacity_provider.default_capacity_provider_use_fargate
-    fargate_capacity_providers            = var.capacity_provider.fargate_capacity_providers
+    autoscaling_capacity_providers = var.capacity_provider.autoscaling_capacity_providers
+    use_fargate                    = var.capacity_provider.use_fargate
+    fargate_capacity_providers     = var.capacity_provider.fargate_capacity_providers
   }
 }
 
@@ -26,7 +26,7 @@ module "ecs_cluster" {
 ################################################################################
 
 module "alb" {
-  count  = var.create_alb ? 1 : 0
+  count  = var.alb.create_alb ? 1 : 0
   source = "./modules/alb"
 
   vpc_id      = var.vpc_id
@@ -81,7 +81,7 @@ module "alb" {
 ################################################################################
 
 module "ecs_service" {
-  count  = var.create_service ? 1 : 0
+  count  = var.ecs_service.create_service ? 1 : 0
   source = "./modules/ecs_service"
 
   vpc_id      = var.vpc_id

modules/alb/data.tf

@@ -12,8 +12,3 @@ data "aws_subnet" "public" {
 
   id = each.value
 }
-
-# To get VPC CIDR for ALB security group as default ingress
-data "aws_vpc" "this" {
-  id = var.vpc_id
-}

modules/alb/locals.tf

@@ -5,6 +5,6 @@ locals {
     s.id if lookup(s.tags, "Type", "") == "public"
   ]
 
-  cidr_blocks = var.cidr_blocks != null ? var.cidr_blocks : [data.aws_vpc.this.cidr_block]
+  cidr_blocks = var.cidr_blocks == null ? ["0.0.0.0/0"] : var.cidr_blocks
 
 }

modules/alb/main.tf

@@ -20,13 +20,6 @@ resource "aws_security_group" "lb_sg" {
   description = "Default security group for internet facing ALB"
   vpc_id      = var.vpc_id
 
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = local.cidr_blocks
-  }
-
   ingress {
     from_port   = 443
     to_port     = 443

modules/ecs_cluster/.terraform.lock.hcl

@@ -120,8 +120,8 @@ resource "aws_ecs_capacity_provider" "this" {
 
 locals {
   default_capacity_providers = merge(
-    { for k, v in var.capacity_provider.fargate_capacity_providers : k => v if var.capacity_provider.default_capacity_provider_use_fargate },
-    { for k, v in var.capacity_provider.autoscaling_capacity_providers : k => v if !var.capacity_provider.default_capacity_provider_use_fargate }
+    { for k, v in var.capacity_provider.fargate_capacity_providers : k => v if var.capacity_provider.use_fargate },
+    { for k, v in var.capacity_provider.autoscaling_capacity_providers : k => v if !var.capacity_provider.use_fargate }
   )
 }
 

modules/ecs_cluster/main.tf

@@ -78,7 +78,7 @@ variable "capacity_provider" {
       }))
       tags = optional(map(string), {}) # Optional; default to empty map
     }))
-    default_capacity_provider_use_fargate = bool
-    fargate_capacity_providers            = any
+    use_fargate                = bool
+    fargate_capacity_providers = any
   })
 }